This is a hello world with Hashicorp Vault to get a production server working.
I had looked high and low for a way to configure the simplest possible production Vault server, and I was not able to find anything in which every step worked.
Assumptions
It is assumed that one has command line access to a CentOS Linux release 7.9.2009 (Core) or equivalent and Vault v1.8.2 (aca76f63357041a43b49f3e8c11d67358496959f) installed.
Ensure that your bash PATH variable includes /usr/local/bin.
Install Vault
wget https://releases.hashicorp.com/vault/1.8.2/vault_1.8.2_linux_amd64.zip
unzip vault_1.8.2_linux_amd64.zip
mv vault /usr/local/bin
Install OpenSSL
The version of SSL that is in Centos 7 is too old.
# CentOS 7 has too old SSL, sigh.
yum -y update
# Install required packages
yum install -y make gcc perl-core pcre-devel wget zlib-devel
# Download the latest version of OpenSSL source code
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz
# Configure, build and install OpenSSL
# Uncompress the source file
tar -xzvf openssl-1.1.1k.tar.gz
# Change to the OpenSSL directory
cd openssl-1.1.1k
# Configure the package for compilation
./config --prefix=/opt/ssl --openssldir=/opt/ssl/etc/ssl --libdir=lib no-shared zlib-dynamic
# Compile package
make -j4
# Install compiled package
sudo make install
Make TLS Certificates
A production Vault server is going to use SSL.
IP=`hostname -I | cut -f1 -d" "`
sudo mkdir -p /opt/vault/{tls,data}
# alias openssl=/opt/ssl/bin/openssl
export LD_LIBRARY_PATH=/opt/ssl/lib:$LD_LIBRARY_PATH
cd /opt/vault/tls \
&& sudo rm -f tls.key tls.crt \
&& sudo -E /opt/ssl/bin/openssl req -out tls.crt -new -keyout tls.key -newkey rsa:4096 -nodes -sha256 -x509 -subj "/O=HashiCorp/CN=Vault" \
-addext "subjectAltName = IP:${IP},DNS:${IP}" -days 3650
Configure Vault
Create a file called config.hcl and paste the following. Replace $IP with your IP address you get from "hostname -I".
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file = "/opt/vault/tls/tls.crt"
tls_key_file = "/opt/vault/tls/tls.key"
}
api_addr = "http://$IP:8200"
storage "file" {
path = "/opt/vault/data"
}
max_lease_ttl = "10h"
default_lease_ttl = "10h"
ui = true
Run the Vault Server
The moment of truth. When we actually run our vault server. Note, you need to keep this console window open so have a second window for doing the rest of the commands.
sudo vault server -config=config.hcl
Check Vault Status
First set some variables then check vault status. NOTE: for subsequent commands these bash variables need to be set:
IP=`hostname -I | cut -f1 -d" "`
export VAULT_ADDR=https://${IP}:8200
export VAULT_CACERT="/opt/vault/tls/tls.crt"
The next command checks to see if vault is running, and you can connect to your local vault server.
vault status
Unseal Vault and Login
vault operator init -key-shares=1 -key-threshold=1
This will give you the unseal key. Take note of it.
vault operator unseal
Now give your unseal key.
vault login
Verify Persistent Storage
Ensure that our production server can actually store keys
between server restarts.
Enable secrets backend:
vault secrets enable -version=2 -path=kv2 kv
Now add a secret:
vault kv put kv2/secret username=admin password=qwertyasdf
Now list said secret:
vault kv get kv2/secret
Shut down the server with CTRL-c on the terminal where we are running vault then
restart it.
Now go through unseal steps above.
Finally see if we can print our secret:
vault kv get kv2/secret
Top comments (0)